2023第七届HECTF信息安全挑战赛 Writeup
web
伪装者
访问时按提示填参数, flask 解cookie时给出了key直接再签名即可。最后有个ssrf
GET /img?url=http://127.0.0.1/P1aceuWillneverkn0w HTTP/1.1
Host: 101.132.112.252:32255
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
User-Agent: Firefox
Referer: ctf.sc0de.com
Cookie: session=eyJrZXkiOiJ6eGsxaW5nIiwidXNlcm5hbWUiOiJhZG1pbiJ9.ZVhPeQ.xSKuALN_JIcJtpozwG0r0yeDoH8
Upgrade-Insecure-Requests: 1
X-Forwarded-For:127.0.0.1
Connection: close
Crypto
rsarsa
import gmpy2
from functools import reduce
from Crypto.Util.number import *
import random
seed = 114514
c = 23001012057110779471190091625946693776382380529397302126337301229214301450335125076016991835054198112255974220434689958104931664098817350134656616154892781885504255726632558690544057380195511404078662094726952602350250840712610362029824982069179543810686494204685887486972937880502875441232004432323308734978847464589775857815430854038396134952486665687531579988133729365443247597395131516449487146786214227230853061720614077115599878358089377114269765796099004940883513036567103436154122335792598432012140232905658895014924069330265282364249236142072335363164451294973492092043110680377767954710822286121195290921259
n = 25797576442752368834409243494498462987370374608513814739930733437032797864549696772439769896270235017474841764016848627149724764584643408544417890463920153063835758878658712790547466715525246861709503145754424896044647787146006099053059124466248594151765065039034244830614724509092882854620642569723528913880146979990993657935598837645247839225413889995373643109990149255485373119338024345925311643249141660177285328457994476509430988280481564046398593906405870633323621548853838399385539924067139236445142933316057900841508972844270649504321178274091144241788883353514769368447833090379142367062327674855735832181241
c1 = 5702553209026762891130621254037294747819864952568824327221430749829654552175171307151888953348659971422228556686092434932000213695492351602755144510029319044193567051613888876933660356756790444392278614143455408803808095980542751023095024106689759843322130186219560734082292015929006937318400901378373771587448471762923415750064340829545587346927358411518874090282598069394946985795177419501659425500481799157093068337225389827654860680897913114945871197415129055139716514884716404289565297854681809258375973195355836553939670482515484347869258398517276876478311544109924573128946617113822561968330536525876279165313
c2 = 17562619948191690401152271053920025392401205523418067246455197241332062181407775133406742024747779181762812656501246379566147855594504112107873162350649668441267907193889705868572309785100582281795380779594946422800722070311908572538672508371123334385630310655242811756206073131919770939609347021343765434127086363844595938894714892990053114153402729297796655717510572619694559203260762574159375142757462082162882775921182437134358375300674547217425590072112733480640372328934982979603312597484512120618223179217692002851194538130349201457319160001114007059615596355221194709809437500052122684989302563103918409825040
# 费马分解 p,q
p = 160616239660727858899273379103592231155409056274229284184975467127574269595624091311175627078626817259122507024363284463167205592226280887239280008933792076628602313168161987456794466948371108388445589568660803435612911564349113520700334500717237521981464112146232603304167030094761289132103178741978484324163
q = 160616239660727858899273379103592231155409056274229284184975467127574269595624091311175627078626817259122507024363284463167205592226280887239280008933792069345408116962980054711105579607903079344180647686753187313507576711078157922258567830351506693970326314484271008164343339287427523462030830749467794546707
e = 65537
phi = (p - 1) * (q - 1)
d1 = gmpy2.invert(e, phi)
hint = gmpy2.powmod(c, d1, n)
d2 = gmpy2.invert(17, phi)
a1 = gmpy2.powmod(c1, d2, n)
a2 = gmpy2.powmod(c2, d2, n)
random.seed(seed)
x = [random.randint(1, seed) for _ in range(2)]
y = [random.randint(1, seed) for _ in range(2)]
m1 = reduce(lambda x, y: (a1 - y) // x, x)
print(long_to_bytes(m1))
# b'HECTF{r3411y_easy_R4nd0m_And_r3l4ted_m3554ge_att4ck}'
大帝攻占福岛
a = "zpvepoudbsgcdqwvjgocqg|rxrqo|feviefsyx}szwt|skqfl?NKIZLYZUVfU|jslhyfzmiom
"
for k in range(0, len(a), 10):
ki = k // 10
off = 25 - 26 - ki
...
for c in a[k: k + 10]:
print(chr(ord(c) + off), end='')
我们仨
step1 https://blog.csdn.net/XiongSiqi_blog/article/details/133657050
key等于字节a的前16位 * 2
iv = 字节a后16位 ^ key的前一半 ^ 1
key,iv都出来了,那么flag也就出来了
from Crypto.Util.number import *
from Crypto.Cipher import AES
a = 113271863767201424639329153097952947311122854394813183532903131317262533549675
c = b'_1\x16\xc2;\xb1\xddy\x14\xdd\x14\xe5{\x19\x04:'
key = long_to_bytes(a)[:16]
iv = bytes_to_long(key) ^ bytes_to_long(long_to_bytes(a)[16:]) ^ 1
aes = AES.new(key * 2,AES.MODE_CBC,long_to_bytes(iv))
flag = aes.decrypt(c)
print(flag)
# RSAKEYISFTCE
# 密码1 ISFTCE
step2
from Crypto.Util.number import long_to_bytes
from gmpy2 import gmpy2
from functools import reduce
factor_lst = [2706073949, 3654864131, 2463878387, 3207148519, 2370292207, 2804303069, 2970591037, 4278428893, 2217990919, 2794985117, 3939901243, 2338725373, 2923072267, 4093178561, 3831680819]
phin = reduce(lambda x, y: x * (y - 1), factor_lst, 1)
e = 65537
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
c = 7650350848303138131393086727727533413756296838218347123997040508192472569084746342253915001354023303648603939313635106855058934664365503492172
d = gmpy2.invert(e, phin)
m = pow(c, d, n)
print(long_to_bytes(m))
# b'keyisEa51stRsA'
# Ea51stRsA
step3 在线解的
https://the-x.cn/en-US/cryptography/Des.aspx 在线解的。
gIHkeIlRQp1fLeSWEqZJdOTO4aRYRB2OGRcBycHQ1OAdi6UEULYbwIvYh+0alYScSEoN4TOejgTjdPsetrURRlLX6dcifjX6VvLxY7TnMk7c8/xy17mybq/yNQf0vFGh8byC88bUeHian9dA2Qh6rRBYS1I7iNxM62RtCFZ+1OKeaqGIDjf3/VuPlbnCePYIY5FVs6xNXjkGh0m57t2QW4CoGI5lz6OcAAwg4AHP0d8CfeldOF/TogPwOiPaRlDbtHXCh54Bs5ZivV+jDerr0RQvCGYBFHYLJnvyrFtyZC9BxAQ8gQnGlWNDjE1V6BByUvJjpI9DcUyRSNN21rUWouOiLwtKX0BgDQkGH9PhtzhmGYI+R3lZJ4x30l+Xqweu
DES CBC PKCS7 key:hectf iv:0000
reverse
ezre
汇编修改输出密文。直接爆破。
easyvm
汇编修改输出密文。直接爆破。 和上面一样。
Ez_Android
frida hook直接输出迷宫 用vim走一下就出了。
What_is_this
最后是个rc4。直接调试密文输进去 。自己解出得到 BAE038CEB74AF7FFEC767230B6673AF1
前面这部分正向写一下逆向推
dword_140005040 = [0xB4B0BCD7, 0x0783096D, 0xC5FCB3FE, 0x2EBCC258, 0x23D7FF9E, 0xA0808A2E, 0x1596CDBF, 0x112BC0BE, 0x64D814F6, 0xF9689B18, 0x0E2EDA75, 0x765EA8C6, 0xC5498416, 0x04E0F7AC, 0x3AA11865, 0x4EA528EC, 0x96497BBB, 0x85E1BC09, 0x00000000, 0x00000000]
dword_140005090 = [0x545F1A09, 0x72BF3620, 0x6D095A3C, 0xD9BA0DDE, 0x5831A48F, 0x5D57E957, 0xD2C70CA1, 0x92D0B09E, 0x05986EA7, 0xC0B7239B, 0x414CA7FA, 0x8C640E78, 0x3D9293CA, 0x2E4E86D6, 0xD20DF3EF, 0xFCBFD616, 0xB1028B7A, 0x48A225B2, 0xC5310BED, 0x76EE8AAC, 0x2BCD6A6A, 0xE28AA179, 0x5544CF59, 0x59FD63B2, 0xAA66872B, 0xB287E29B, 0xFBA90BBB, 0x0E1B281B, 0xFD911773, 0xF6BA5930, 0x56907F76, 0xC7C2B119, 0x712DB50E, 0xA3D82A97, 0xE28FB5E3, 0x518C77C6, 0xA92DC986, 0xF33EEEC2, 0xE16D8B89, 0xD63710E1, 0x6448299D, 0x5857B76C, 0xDE3EFEB5, 0xAD7F19AA, 0x71959F2F, 0x2E145F4E, 0xE11AFAFB, 0x4AAB2D8D, 0xE093769C, 0xB2DFD433, 0xD2E1FDF0, 0x347B8EA7, 0x5EF7EF83, 0x05234DA3, 0x16D02042, 0x529CFBA3, 0xB45D1948, 0xC29A62CA, 0x0D5A403C, 0xFCFDD74A, 0x422FE841, 0xBE227973, 0x5CA46C11, 0x7F6DDE79, 0x57907220, 0xFF4F38BB, 0x0F0E7E68, 0xB5949BCB, 0xB0C4E5A9, 0x07BD3D32, 0xB63477A5, 0xEE345630, 0x7E545F42, 0x8F5D6FC7, 0x1DCED853, 0x7CC550A1, 0x85CAF19C, 0xEA35BE82, 0x740DC12C, 0x6C11482B, 0x6724E831, 0x071A95EF, 0x3DE202E6, 0x8D6F6C1E, 0x6FCB426B, 0x76EDE9EB, 0xB56161F8, 0xCC97988C, 0xDB929978, 0x79CDB2BC, 0x3EBB8978, 0x09F5C68C, 0x534A1041, 0x2B9E4EFC, 0x90D3990B, 0x375A53C7, 0xCC5225DC, 0x9D2E1677, 0xACDE0FFE, 0xD36EF19A, 0x9D44B7DE, 0xBFD191FB, 0x5D5E6099, 0xC126931D, 0xB2A872CB, 0xABF87B85, 0x148B2C1F, 0xB71DD952, 0xE5C4E6AA, 0x695DEACD, 0xB0133F33, 0x607EABA3, 0x5C891A46, 0xA29030FD, 0x72CDEA63, 0x96C45ED3, 0x354CD1A0, 0xEE1C81B5, 0x8EF0614C, 0xFDCD6E66, 0x62AA131B, 0xFBD151FD, 0x1C723721, 0x5A84A838, 0x80ED7440, 0x8F00096B, 0x0ABB2375, 0xF0043265, 0xFC325EC4, 0xC00B7984, 0xB025CEE5, 0xFC06F711, 0x24D6B5B6, 0x32230650, 0xD8AF1920, 0xEBE6C9EB, 0x7E8A59C2, 0x894F2D76, 0xB1BF7AED, 0xA6140381, 0x4F194296, 0x3F272849, 0x5DC4A95A, 0x9319302B, 0x3B7F9FD6, 0x61BCB8EA, 0x32DA5298, 0x12D4276A, 0xA517FD23, 0x3053D786, 0x1D22E501, 0x0E327073, 0x89B95B45, 0x31F251CD, 0x3FB600D3, 0xA790868A, 0xCD78FA9B, 0x60586111, 0x9CDF3BBE, 0x06FA5A61, 0x4CE2834B, 0x11CB2318, 0xFEFCEABB, 0x525A5BF8, 0x4F2A727D, 0x76E81E8B, 0x0DA26958, 0x70AEA768, 0xF3C0DBFA, 0x933357D1, 0x534A3B2A, 0x0F36234B, 0x12F9229D, 0x28F134FC, 0x6F665B55, 0xF6EDEA7C, 0x919A8C91, 0x2CD0E8E4, 0xC21D2899, 0xC3B6E84E, 0x1ED4406C, 0x269ACDE7, 0x6BC1E63F, 0x361DCED3, 0x17F9A6FB, 0x91BBB731, 0xBDC1AFA1, 0x3F178408, 0xEBDBA9BE, 0xBEF3163E, 0xB9A4CB59, 0x3EF59F81, 0x9B56C3CC, 0x12A16A35, 0x2C9770BA, 0x4607A665, 0x8F18A8B7, 0xE9ADAB50, 0x61BA7177, 0x5994C866, 0x275D4BF6, 0x61BA1B65, 0xDF1AE889, 0x92146226, 0x5D8D134A, 0x4FD96547, 0xCE5A3029, 0xE9CBB28C, 0xAFAD85FF, 0x7D6C4BD8, 0x1BD650A0, 0x7B11C635, 0xC6A3FD93, 0x5698D6CE, 0x65580474, 0x20AF3A00, 0xE5B467F0, 0x2196B1B1, 0x051A7EDA, 0x21D9463C, 0xCB60B04F, 0xD96A3810, 0xC035A7E5, 0x59CCB18F, 0xEAFD6D92, 0x15B42A0D, 0x080123AA, 0x81F1111A, 0xDCBB84E8, 0xE4CB9BF8, 0x2687130C, 0xCBFDA0F9, 0x836F7824, 0x217F2AAA, 0x9565B3DB, 0xDD7BFCB0, 0x9FD17C7A, 0x32E7BC7B, 0xBDAB1F60, 0x586D8807, 0x957EBB29, 0x5324B8EA, 0x51E57D92, 0xF26E08E7, 0xFDEE05B2, 0x5B1B4CB3, 0x217868B7, 0x1BFD7F4B, 0xB278874F, 0xB2E88B48, 0xA0729FB2, 0x7336B90C, 0x78102859, 0x0FB959B9, 0x560852EF, 0x9FC24CDB, 0xA2A146FA, 0x47CFD712, 0x47067729, 0x22001F99, 0xE3510EEC, 0x3CADC571, 0x803E87C2, 0x91D2E3A5, 0x0C9BA638, 0x3C3E3D82, 0x395BFAEF, 0x94E5C07B, 0x3585CC80, 0x9FCB3AED, 0x5B565B3E, 0x36B345E2, 0xDB314ED4, 0xC7E3B704, 0x998C79E5, 0x40CD4538, 0xDBABF362, 0x086B4C64, 0x50E1E0F7, 0xC3EF9020, 0x7BFA8B0C, 0x78E6C87B, 0x34FC14EE, 0x51441895, 0xAC72B0FA, 0xC90C28F2, 0x86BFD301, 0x090E61FA, 0xADE7A2ED, 0xD0847320, 0x7F8D3E6B, 0x5C282B27, 0x214CCE60, 0xF5BF5A20, 0x84C5232E, 0x12B4C5FB, 0x3CE0E1E2, 0x6793E963, 0xCD83454C, 0x28DDC41E, 0x490DEB3C, 0xC84944DD, 0x64EF770C, 0x09E2DDC7, 0x8EBAD00B, 0xF73B6311, 0x26E4F0A9, 0x16424DC9, 0xF1AAFA6C, 0x8A91C42C, 0xF92A8C6F, 0x064D1D27, 0xF679734C, 0x8245CB8E, 0x3507F9CA, 0x30A3890A, 0x9C682420, 0x4F981732, 0x2FE6D5A7, 0x2C629F24, 0xAA28A0C0, 0x29C1EE78, 0x95A0B276, 0xAFF55CE9, 0xE8600CB4, 0x1D147972, 0xC30ACA07, 0xE15325E4, 0xCF8FCBE0, 0xDE8069EC, 0x0C377318, 0xABBC4F2B, 0x287C4DF1, 0x368CD05C, 0x155B3C2D, 0x7DE6352C, 0x7C17AFC7, 0x3FD89B02, 0x0F499284, 0xA48180D3, 0x633B4568, 0xF783D891, 0x75A7445F, 0x2A1EBE63, 0x8D7636F8, 0xF37C81F5, 0xA8D8EAAF, 0x611A84A6, 0xA5D2CE3A, 0x5057BA20, 0x5F301299, 0xB43F29E1, 0xFF6F7B03, 0x0A84C2CA, 0x2567C1A8, 0x9C43B105, 0xAD5193CB, 0x11A1452C, 0xE14C525C, 0xF21F55FB, 0xD30E0EF5, 0xE09B697C, 0x314FEF7C, 0xF5BFFBFB, 0x0157F202, 0xC070F3BA, 0xB1C541C9, 0x63F8B2BA, 0x7C5E8EBE, 0xE43CF075, 0x8083E888, 0xBC4F3D09, 0x92285D1E, 0x2D672EFD, 0x7572CDD2, 0x2BA31F71, 0x60D1AF7A, 0xAA610B16, 0x8FF9CB08, 0xD7A93CEB, 0x22CD395C, 0xCC76CCDE, 0x0119B737, 0xEC118C6F, 0xBBCB7451, 0x6D17926F, 0x260D95B7, 0xE4D1B804, 0xA55A94E7, 0xF2200C91, 0xEE7D342D, 0x3C56F589, 0xD4AD854A, 0xFCD012CC, 0x7BFB7636, 0x07BEBD04, 0x2ACAA970, 0x797F3AEF, 0xFEA8DC35, 0x2FC95419, 0x5ADD3CD2, 0x44C3AD8F, 0x41977474, 0x24EC96DF, 0xEFC13AD1, 0xADDF0A9A, 0x7B208B4B, 0x29615127, 0x47006797, 0x3DE3D511, 0x5AF3DCF6, 0x04B915F5, 0x1A623918, 0x01FE3DAD, 0xF5F17694, 0x1285F323, 0x31D749F0, 0xDD52A6D2, 0x1C5E04A9, 0x29216350, 0x9408FB74, 0xA956B0FB, 0xC9D506E6, 0x5A45CE62, 0x4D03C6C9, 0xCA4D58A5, 0x67ECED8E, 0xB10E2A1E, 0x07A9F4D9, 0xC9831AF8, 0x5064527C, 0x5888B4ED, 0x33747F3E, 0xF2F09921, 0x7EB0E007, 0x0BF976D9, 0x8E797846, 0xC8FF7060, 0x7F617417, 0xA4FFCAB8, 0xBFE4A981, 0x59F68839, 0x19D240FF, 0xC2E8A03B, 0xDD48095B, 0xFEA34A77, 0xE90E078E, 0xF5027861, 0x46B591D0, 0x44DF28F3, 0x0AF6C07F, 0x98C23C44, 0x08C3C3E7, 0x6CDE42F1, 0x100D3A1E, 0x15AB95C2, 0xCF73FC1F, 0x244E2C16, 0x49F60921, 0xEB6773CF, 0x8DADFC83, 0xC757538B, 0x3E177B7D, 0x8346707F, 0x1C3EB263, 0x0960A04D, 0x6275BF0C, 0x4696573E, 0xB0CB0377, 0x761F9049, 0xDF80B6A9, 0x16E636CA, 0x5EB4AEAC, 0x32A6C528, 0x449501EF, 0x822B3AF8, 0x732723FF, 0x3252A55F, 0x1EA96527, 0x095E5E50, 0x42B4635D, 0x297A4446, 0x57C22234, 0x6FB43606, 0xF0A28580, 0x0AF9D4F9, 0x71D19114, 0x5B9F7DC4, 0x1090A425, 0x1B4623C2, 0x8C4292C6, 0x0D1ACAFC, 0x2FD78CA0, 0x19D6AA9E, 0x8E2BE86D, 0xBE647DBA, 0x5D7997AC, 0xBA9607A8, 0x53DA3C8B, 0x42378A4A, 0xF8FE40D1, 0x63E64ADB, 0x943077AB, 0x1CB26664, 0x1867FCC0, 0x1E3FD051, 0xF7A2E813, 0x5630DD40, 0x63C3AFF0, 0x7C071BC2, 0x323469F8, 0xFA79B4C9, 0x847F4D69, 0xE2C672B3, 0x092E7CEB, 0x0BB02E58, 0x2ECEC4D3, 0x5A36E048, 0x977E3C0E, 0x0AC46F7C, 0x52EE87AB, 0xCC4C435F, 0xBD1C61C7, 0x54525B48, 0xD40DA591, 0xB408A1DE, 0x551F8909, 0xE75EB606, 0xEFFA5925, 0xA157EA6E, 0xEF04C630, 0x30D6B2FD, 0x93974DB0, 0x8FD58527, 0x90DE6220, 0x82CEA8F9, 0x591052A9, 0x1C439A7F, 0x1C31F642, 0xE77B1837, 0x14A92322, 0xA29A4FD4, 0xEB2FEA60, 0xAF7F9715, 0x8E1BD9B1, 0x594D9263, 0x75A2B18E, 0x97198667, 0x398D17F9, 0x005774ED, 0x0BBECC94, 0x796C45AB, 0x90970AD3, 0x0E04173C, 0x86FA376F, 0xDA29164E, 0x3E2BF22C, 0xAC837C98, 0x14B29B0F, 0xD0905162, 0xA70DD502, 0x4FC7CEB6, 0x8618F9A2, 0x0B3E5459, 0x4DD691BF, 0x44654D64, 0x677B1BFB, 0xC7D434A0, 0xB5D5C30D, 0xEDF66ACD, 0x5438B9D5, 0x829AE55F, 0x3EB875E5, 0x95CC86C6, 0x539A1FBA, 0x575EBCC4, 0x2DF54A82, 0x6498F59E, 0xD60A6D7A, 0x93F069E9, 0x025F61C7, 0x602137E0, 0x938356EF, 0xC264714D, 0x36865615, 0xE215DB5D, 0x5B02DB3A, 0x025D45B0, 0x7FCA44B5, 0x8B3BF942, 0x65AE7C65, 0xE47A4252, 0x27367E78, 0x4A6DD042, 0xB144763D, 0xAE998EDD, 0xE9ED4625, 0x406FC916, 0x6A93D875, 0xE1F232D0, 0xE46621AC, 0x9C5F77AE, 0xB2E49C9E, 0xED811912, 0xC4026CA1, 0x07241C23, 0x9D32BB32, 0x6B1DE4ED, 0x2499FD93, 0x39B9B063, 0xBC9A8FCE, 0x968070FE, 0xD8325633, 0xF948684F, 0x04074B4C, 0x51ED97FE, 0xCFFA78EB, 0x2A332CFB, 0xF8734C83, 0x9EB98D7E, 0x9E3219F6, 0x91F7A2C2, 0xA408F47F, 0xEE020475, 0xA6C779AA, 0xA509807F, 0x2D9E3194, 0x65567D2D, 0xE0F9B2F2, 0xB6D1C61E, 0xA432E186, 0x28D0790B, 0x2FB9EECB, 0xC5D2EFBF, 0x1560C8BB, 0x6631D64F, 0x7B5480CF, 0x32C5D470, 0xB4476222, 0xCBC4B80D, 0x3A025710, 0x3BF5CFCD, 0xAC84F7EF, 0x7CE7BF40, 0x31F17D40, 0xBFB3D6B0, 0xF6441213, 0x935FFD1D, 0x7D13C7C6, 0x4DD64207, 0x752878D2, 0x5ACDCE8E, 0x3ADBE66F, 0xFDF0FEFA, 0x96920A40, 0x2AFEE16D, 0x19639714, 0x1900F2D4, 0x4F48FF48, 0x8B1916BB, 0x32AF3828, 0x541A46C4, 0xB074F30A, 0xDFC48427, 0x391A9A3F, 0xEE3096A0, 0x79546FAF, 0xDFEA8F2D, 0x7357DE4F, 0xE1AA869D, 0x7E7A0283, 0x98AE4090, 0x829F93A7, 0xAFF4F4EE, 0x10B31029, 0x20207DC2, 0x84D85E7A, 0xA09591B0, 0x15EE79EC, 0x48F4372B, 0x5D3AF1B8, 0xCE973485, 0xCA30FB24, 0xC159EC6C, 0xF9F970B6, 0xEE88CED0, 0xABCA3E18, 0x2E6432D0, 0x591295E5, 0x4C3ACB78, 0x902199CE, 0x6D3E1519, 0xCB48484C, 0xD1498272, 0x5F9531B2, 0xCCA0040E, 0x0CDECCFE, 0xE66581DD, 0xF819FAAC, 0x92062D1F, 0xB3D6AB4F, 0x5DFACE55, 0x099A3F5B, 0xC8F8299A, 0x4DFF47D5, 0xF8E0561C, 0x846B6695, 0x28727A9C, 0x1B67A3F8, 0x809D2E0B, 0x9BCD8641, 0x9859748A, 0x3BC6CABA, 0x2623B38C, 0xCA5C1336, 0x45D43AEA, 0xB7AE26EB, 0x157F0012, 0xF72A8B7C, 0x3EA2E768, 0x7912245E, 0x3C483C17, 0x62EF4E97, 0x61D1F66C, 0xDDD8D56C, 0x94EEA828, 0x0F70D770, 0x443B3334, 0x07DC2E5B, 0x407282D9, 0xC34A3446, 0xF8C7421B, 0x8047BEBB, 0x6A326958, 0x1E855D9E, 0xA37C6C99, 0x779BCA7C, 0x83E52319, 0x6987818B, 0xFED2C9DD, 0x3B470C19, 0x2C3FE2CF, 0x1B5487A4, 0x07B8D91F, 0x2D36597A, 0x6180A4A1, 0xB28660E7, 0x87CBB193, 0xC2E29E75, 0x9A1310AF, 0xD8F1B6F7, 0xE6963623, 0x0C257959, 0x526EFC9B, 0xA399AA5F, 0x8EC7D38F, 0x79C93D39, 0xD9AC09BF, 0x3DB7CC11, 0x8C5C29ED, 0xDB0A9341, 0x675B6CB2, 0xA8F3744E, 0x6C9E8533, 0x58877EA6, 0x4587438D, 0xD1FC7EFB, 0xE0BCC312, 0xF5258CB7, 0x0B18142B, 0x5C74F87A, 0xA8F73CED, 0x78B091F2, 0xDD657BEB, 0xCCBED1E8, 0x6B3169A9, 0x1B2EA588, 0x8C0013C3, 0x08C64938, 0x539B2009, 0x50D7493A, 0x25A698B9, 0x5EB2BEE1, 0xF906F8C4, 0x5DE365F9, 0xAC32E36F, 0xEE2FF4DE, 0xCC614A2E, 0x42E033BB, 0xA9171BD9, 0x979D7BC9, 0xD821CEE4, 0x23E39721, 0x5DCA2AAA, 0x32EFAD53, 0x68A591F9, 0x509C249A, 0xCAB86591, 0x5BA41EA1, 0xFABB7DD3, 0xD868AC6B, 0xF697787B, 0xE992CD61, 0x05620835, 0x67AA7948, 0xE3BD5E93, 0xC2E68753, 0x93371C1F, 0x7E93C055, 0x9C03BF7F, 0x3AF5CDDE, 0x204AD0A9, 0xA4C82488, 0x9FEB27C5, 0x5BF01527, 0x4E2C2E28, 0xE1780BB8, 0xD35CA6FE, 0x3F83F4FC, 0xF53A3DDE, 0x21D6B679, 0x9EC2B4D0, 0xD377CE20, 0x18B4E9DF, 0x44461529, 0xEF802D14, 0xBC8E1251, 0x43DA7D40, 0xD83CA211, 0xB8160A94, 0xABC39264, 0x3D254F99, 0x64E84FE9, 0x59EB269C, 0x3E5CEA05, 0x692C83C8, 0x4B97857A, 0x67FB77DC, 0x495A76F8, 0xB0BF2BF1, 0x9133E20E, 0xF680B4FC, 0x2C337D83, 0xA7CED3FE, 0x58E2E2E2, 0xABA82F22, 0x49E9ED79, 0x827EE739, 0xDDC3F7C6, 0x2FA80E17, 0x0329160C, 0x6B44ABC5, 0x6082526F, 0x7FD1B111, 0x5BFF9181, 0x694C0008, 0x01815B00, 0x26ED3E7B, 0x1F3CEB79, 0x7F30843A, 0xBFCD4537, 0x2DE733C0, 0x63E55DAB, 0x4F4ED641, 0x71DFCC25, 0xAC6EEE15, 0x00A78EBE, 0x7DDF6250, 0xEE039ECF, 0xDE879117, 0x3B856043, 0x6643303A, 0x8729EB76, 0x4F07D61A, 0x419A4357, 0x1A4C4CB0, 0xD88E5F08, 0x31780356, 0x8B82ED31, 0x27E9AC05, 0x309CAB4E, 0x4654188C, 0xE6612932, 0xD9A60590, 0xB1EB92B0, 0x063C843C, 0x08C8BA7F, 0x03270C71, 0x8F316B1E, 0x45B6D5E7, 0xEEF147AC, 0x900CC097, 0xF1833A4D, 0x297AF1CD, 0x559A950E, 0x408E2EED, 0x3E21B8A0, 0x3AEA4200, 0xEC54C0A2, 0x650DE6B0, 0xE99467E6, 0x5A59BFB3, 0x1756821B, 0x1D2A6EC6, 0x31D59CDE, 0xADB7AEDD, 0xF27136CA, 0x3C96205A, 0x0B0F9014, 0x235E1FAB, 0xD517FB12, 0xF1A91177, 0x6958DD01, 0xFF291B57, 0x581D81C5, 0x9B1B5D7C, 0x653712E6, 0x60A43543, 0x350793E8, 0x0C868DF3, 0xFCE25A29, 0x924A2818, 0x9D6B64F2, 0x1FA55408, 0x69ED0232, 0xCB39FE50, 0x905F3840, 0x0A50B8BF, 0x1CD45CB8, 0x19E2ABBF, 0xD3B3F90E, 0x202313CB, 0xE77E9210, 0xB8D02BFB, 0x45E7D4E8, 0x160C1D94, 0x26430C81, 0x0EB22D82, 0x99A97DF4, 0xFED39A97, 0xD5E67799, 0xFB0D394A, 0xA2D53074, 0xA52D6E28, 0x99823802, 0xDCEF38C9, 0x25EBD245, 0x5F43CE5E, 0xF75DBCD0, 0x43D3B152, 0x62A5C24A, 0x357E06D8, 0x867DB0AC, 0x62CF1DCB, 0x8D787E4B, 0xE4EAA9B5, 0x0AD8351E, 0x611F7731, 0xAA2426C1, 0x33929C53, 0x4F79C5B0, 0x04093FE6, 0x3F10072E, 0x7C0F8C33, 0x797DFE15, 0xA9CED806, 0xEA747935, 0xA1A5B18D, 0xCBA3F2BC, 0xAF518507, 0x2CE561D7, 0xAAAED39D, 0x6334F363, 0x40243C71, 0x32561CD6, 0x436A6AC7, 0xA03A58D6, 0xAFF610DF, 0xB92887DD, 0x795BB8E0, 0x57AFD55D, 0x609432FF, 0x73659625, 0x27485E32, 0xF2F3AE1C, 0xD1DB0C46, 0xE6C303C2, 0x2708D87A, 0xE9B0A706, 0x9617A4E6, 0xDF51BD4E, 0xBAF40776, 0xBC0971F4, 0x6218D1ED, 0x8D6BD8AD, 0x1136BCFB, 0xB40E88D9, 0xAD4646F6, 0x28AEF830, 0x0942CA68, 0x2BBAD6B0, 0x75ACCD23, 0x87C4D094, 0x7BB9A8B0, 0xDD7EF2C2, 0xCB22D695, 0x7D2C4188, 0x5CDE02DC, 0x89833CED, 0x63AFF1E3, 0xE93D3BE5, 0xACD910E9, 0xBD37A4AD, 0x63862451, 0xA9D3FD2F, 0x8B71FBBF, 0xC2D887D2, 0x6F57EAD7, 0xF1681DFE, 0x91B7DE91, 0x1A0D3F6D, 0xF96CC0F8, 0x14D66FC8, 0x255EF831];
def sub_1400011C0(data : int):
a0 = data & 0xff
a1 = (data >> 8) & 0xff
a2 = (data >> 16) & 0xff
a3 = (data >> 24) & 0xff
val = (dword_140005090[a0 + 0x300] ^ 0x22) + (dword_140005090[a1 + 0x200] ^ 0x22 ^ (dword_140005090[a2 + 0x100] + 34) ^ dword_140005090[a3] ^ 0x22)
return val & 0xffffffff
enc = bytes.fromhex('BAE038CEB74AF7FFEC767230B6673AF1')
enc_lst = []
import struct
for i in range(0, 16, 4):
r = struct.unpack('>I', enc[i:i+4])[0]
enc_lst.append(r)
print([f'{x:08X}' for x in enc_lst])
"""
__int64 result; // rax
int i; // [rsp+20h] [rbp-18h]
int v4; // [rsp+24h] [rbp-14h]
int v5; // [rsp+24h] [rbp-14h]
for ( i = 0; i < 16; ++i )
{
*swlow0 ^= dword_140005040[i] ^ 0xE;
*swlow1 ^= sub_1400011C0(*swlow0);
v4 = *swlow0; // swap(low0,low1)
*swlow0 = *swlow1;
*swlow1 = v4;
}
v5 = *swlow0; // swap low0 low1
*swlow0 = *swlow1;
*swlow1 = v5;
*swlow1 ^= dword_140005040[16] ^ 0xE;
result = dword_140005040[17] ^ 0xE ^ *swlow0;
*swlow0 = result;
"""
flag = []
swlow0 = enc_lst[0]
swlow1 = enc_lst[1]
swlow0 ^=dword_140005040[17] ^ 0xE
swlow1 ^=dword_140005040[16] ^ 0xE
swlow0, swlow1 = swlow1, swlow0
for i in range(15, -1, -1):
swlow0, swlow1 = swlow1, swlow0
swlow1 ^= sub_1400011C0(swlow0)
swlow0 ^= dword_140005040[i] ^ 0xE
print(f'{swlow0:08X}')
print(f'{swlow1:08X}')
flag.append(swlow0)
flag.append(swlow1)
swlow0 = enc_lst[2]
swlow1 = enc_lst[3]
swlow0 ^=dword_140005040[17] ^ 0xE
swlow1 ^=dword_140005040[16] ^ 0xE
swlow0, swlow1 = swlow1, swlow0
for i in range(15, -1, -1):
swlow0, swlow1 = swlow1, swlow0
swlow1 ^= sub_1400011C0(swlow0)
swlow0 ^= dword_140005040[i] ^ 0xE
print(f'{swlow0:08X}')
print(f'{swlow1:08X}')
flag.append(swlow0)
flag.append(swlow1)
for d in flag:
print(struct.pack(">I", d).decode(), end='')
pwn
signin
让整数输入为负值绕过
FFFFFFFF00000042
-4294967230
HECTF{69ff941131991b8a02c99a4787dee35e1dfb11f9}
misc
有5位嘛
1.伪加密
2.掩码爆破。
3.复制密码解压
NTLM
按数据包找到数据
administrator::WIN2008:9a88373dbb4f5e36:4eb74543b9962bb2ca36e938909bb930:0101000000000000d23c83f972f7d9015e866dc6343b804400000000020008004800410043004b000100040044004300040010006800610063006b002e0063006f006d0003001600440043002e006800610063006b002e0063006f006d00050010006800610063006b002e0063006f006d0007000800d23c83f972f7d9010600040002000000080030003000000000000000000000000030000046fc5f0d124bc9b99b5b560c14cd7c7e217f08f22ef5f223679ec2c576230fa30a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00310036002e0031003000000000000000000000000000
爆破。
ezpcap
HELLOHECTFX2z0Um23RF , 密码是HELLOHECTF 后面的X2z0Um23RF。
导出 zip解压得flag
